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Excessive credit concentrations in high-risk industries due to the bank's inability to take 
a cross-country view. Overlapping responsibilities for management of operational risk 
leading to significant trades with unauthorized parties going undetected. Significant 
mortgage related write-downs as a result of insufficient risk modeling skills. Insufficient 
contingency plans to support a migration ending in system failure and complete shut- 
down of the branch network for more than 48 hours. And the collapse of entire institu- 
tions whose strategy to rely disproportionately on wholesale markets to fund their inter- 
national expansion went unnoticed in the absence of a comprehensive view of risks. 


The growing list of organization-related risk incidents since the onset of the financial 
crisis has naturally alarmed bank executives, shareholders and other stakeholders 
alike. But as senior executives continue to review their reporting structures, incentive 
systems, risk culture and key processes to identify what went wrong, many are strug- 
gling to come up with a robust solution. 


In addition to the risk management challenges directly created by the crisis, banks face 
intensifying pressure from regulators anxious to ensure sufficient risk oversight and 

control, and from an economic environment that demands tough action on costs. Risk 
functions must be simultaneously effective (fully resilient to future shocks) and efficient. 


Traditional ways of looking at the Risk organization — focused on aspects such as 
divisional structures or centralized versus distributed decision making — often hinder 
a complete understanding of the Risk function and leave important gaps in a bank's 
defences. The complexity of the varied set of risk activities and responsibilities may 
obscure what needs to be improved to drive effectiveness and efficiency. 


In this article we will propose a new way to look at the Risk organization that will help 
financial institutions assess and then improve their organization's effectiveness and 
efficiency. This new ‘lens’ allows executives to identify those areas that are weakest by 
analysing the different sub-functions of Risk — sub functions that have different objec- 
tives and perform different activities and therefore reguire different skills and remedies 
for improvement. 


We will also present the results of research into 20 top international banks — highlight- 
ing typical deficiencies in some areas of the Risk function and some of the weak inter- 
actions between them — and recommend an agenda for action. 
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Exhibit 1 


Defining thelens 
Our new approach groups the responsibilities of the Risk function into four compo- 


nents as set out in Exhibit 1: these cover Enterprise Risk and Strategy; Risk Modeling 
and Monitoring: Single-name Risk Management: and Risk Operations. 


The responsibilities of a Risk organization fall under one 
of four key components 


Functional components of the Risk Management organization 


Enterprise Risk and Strategy Risk Modeling and Monitoring 
Ensures enterprise-wide view of Ensures appropriate portfolio 
risks and a clearly articulated risk monitoring, and development of 
strategy and appetite that is capital adeguacy and transaction 
embedded into key managerial level models 
processes and risk-enabled 
decisions 
Single-name Risk Operations 
Risk Management 

Ensures the bank has efficient 
Ensures high-guality decisions at the risk-related processes and 
single transaction level in an operations including client 
efficient and timely manner and deal on-boarding, 

credit support, MI, 

and reporting 


Each of the components includes a discrete set of duties, activities and face-offs 

that reguire specific skills and talents within the organization. CROs should be able 

to break down these activities and duties, identifying and eliminating any overlaps or 
gaps within and between the different components of the Risk function — and between 
the Risk function and the business — so as to ensure maximum individual and collec- 
tive responsibility and alignment. 


What are the key responsibilities of each component? The following high level descrip- 
tion should facilitate a better understanding of each one. 


Enterprise Risk and Strategy 


This function clearly defines and articulates the bank’s strategic risk appetite across 
risk types, business lines, geographies and products; it designs enterprise risk man- 
agement principles and policies for the whole organization and provides the appropri- 
ate governance structure for implementing the agreed strategy. 


Risk Modeling and Monitoring 


The professionals in this function translate the banks’ risk appetite into high-level 
Enterprise and risk type limits, develop an appropriate management information 
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framework, build and maintain portfolio/ transaction-level and stress testing models, 
monitor portfolio exposures and risks and provide guidelines and policies for modeling 
units embedded throughout the organization. 


Single-name Risk Management 


This part of the Risk organization strives to ensure the highest guality decisions at the 
single transaction level for both credit and market risk transactions. It performs risk 
analysis for individual clients and transactions, approves and dismisses transactions, 
and proposes and implements mitigation strategies for single name transactions to 
manage transactions through their life-cycle . 


Risk Operations 


This component of the Risk organization translates business unit and product risk 
decisions into keystroke decision procedures, designs and manages effective and 
efficient risk related administrative processes, ensures appropriate recording (client 
on-boarding, technology and Ml) booking and compliance of all transactions, and 
produces reports. 


The four components comprehensively capture all the risk organization's responsibili- 
ties along the transactions value chain: each responsibility is grouped in one of the 
four components based on its characteristics as illustrated in Exhibit 2. 


A framework covering all risk activities... 


Single-name Risk Management Risk Operations || Risk Modeling and Monitoring 


Monitor, 
Prepare credit Approve/reject documentation Degn uso ana manage, and 
analysis single cases and service it modas mitigate port- 

folio risks 


throughout its life 


Prepare market Approve/reject stk vsak oí Land manage, and 
deal analysis single cases and service it CE 
throughout its life folio risks 
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Exhibit 2 


Each of the four components in the Risk function has its own clear objectives, priori- 
ties and responsibilities that are structurally different from each of the other compo- 
nents; any gaps within them will be with respect to meeting these inherent objectives 
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Exhibit 3 


and responsibilities, and efforts to improve effectiveness and efficiency by closing 
the gaps will therefore require a different set of actions or levers (as illustrated 
in Exhibit 3). 


Effectiveness and Efficiency levers are applied differently for TA 
each functional component given their distinct success drivers I soondary ever 


Enterprise Risk and Risk Modeling and Single-name Risk Risk 
Strategy Monitoring Managemont 


For example, at a bank with a high-guality credit organization - where credit sanctioners 
were responsible for significant parts of the processing - a dedicated credit back-office 
was set up with clear responsibilities to process transactions from end-to-end. This not 
only reduced the burden on credit, but improved customer service through cutting time- 
to-cash by 30% and significantly reducing re-work from 70% to 20%. Thus, this lens 
afforded not only higher efficiency, but increased effectiveness by allowing sanctioners to 
focus more time on assessing credit, rather than checking processes. 


It’s also important to understand that the four components are interdependent and 
that the organization will only be effective and efficient if robust linkages are estab- 
lished between them. Any merging of activities, however, will likely result in unclear 
accountability, and potential lack of alignment between skills and mandates, as illus- 
trated by Exhibit 4. 


One key linkage is the mechanism by which the Enterprise Risk and Strategy com- 
ponent disseminates its risk appetite standards and ensures that these are properly 
and consistently translated into client and business guidelines by Risk Modeling and 
Monitoring. Risk Modeling and Monitoring, after all, is responsible for detecting early 
warning signs of stress in the portfolio. 


Indeed, the effectiveness of Credit Portfolio Management at a leading bank whose 
skills in this area were considered very advanced, was being significantly compro- 
mised by excessive process complexity (mainly the result of unclear inter linkages 


EMEA Banking Practice 
Wearing Varifocals- a new perspective on Risk Organization effectiveness and efficiency 


A Risk organization with responsibilities merged across components 


7 


E Enterprise Risk and Strategy 
B Risk Modeling and Monitoring 


TT Single-name Risk Management 
CEO | M Risk Operations 


Exhibit 4 


between the Single-Name Risk Organization, Risk Modeling and Monitoring and 
Enterprise Risk and Strategy) and by unclear roles and responsibilities. Using our 
framework, a detailed mapping of the processes and allocation of responsibilities, 
including veto rights for the Credit Portfolio Management department in individual 
lending decisions, removed blockages and cut time-to-cash from over 3 months to 


Single-name Risk Management capabilities enhanced through simplifying 
roles and responsibilities 


Within Risk M Outside Risk 


Distribution of roles: before Distribution of roles: after 
Retail HNW SME Corp CM Retail HNW SME Corp CM 


Impact: significantly simpler and moro effective operating 
% headcount reduction 


Exhibit 5 
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under 30 days for most cases. Doing this also fostered much improved working rela- 
tionships between front-line, credit, and management because it made process, pric- 
ing, pricing shortfalls and ensuing actions significantly clearer. 


The dangers of overlap are always inherent in the various approaches to management 
information. Both the Enterprise Risk and Strategy and the Single-name Risk com- 
ponents of the organization should define what information they reguire to oversee 
and manage the portfolio. Another important linkage is Risk Modeling and Monitoring 
designing the collection process and Risk Operations executing it. 


Only by clarifying the roles and common responsibilities within each component can 
duplication and fragmentation be eliminated and an effective and efficient organization 
be created as per the case example in Exhibit 5. 


As CROs view their organization through this new lens, they will also gain an under- 
standing of the criteria that they should use to assess the effectiveness and efficiency 
of its different components (Exhibit 6). In our work with banks we often observe that 
executives wrongly assume that the drivers are similar. 


How the criteria differ for each component 


= Clear, conclusive mandate across organization 
Enterprise risk = CEO/CRO has real ‘clout’; requirement should be clear to 
and strategy senior managers 


= Led by true risk professionals 


= Typically ‘center of excellence’ set up to embed best talent and 
Risk modeling ensure credibility 

and monitoring = Clearly defined roles and responsibilities to avoid duplication 

= Strongly defined formal links to business 


= Full independence, but strong link to business (e.g. through 
mission to reflect bank’s risk appetite 

= Clear decision thresholds 

= Measurable decision quality 

= Blend of decision quality and efficiency at lower end 


= Systematic, ‘factory’ approach with clear efficiency and 
Risk operations effectiveness measures 
= Mentality of continuous improvement (towards customer, 


business) 


Single name risk 
management 


Exhibit 6 


Learning from thelens 


By looking at the Risk organization structures of 20 large international banks, we found 
that the four components are often not individually optimized, and the interdependen- 
cies between them do not always work properly together (See Exhibit 7). 
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Review of Risk function within 20 large global banks highlighted 
freguent issues across the four components 


Banks where issue 


Risk Component Organizational issues identified and confirmed is severe” 
Fragmentation of responsibilities, lack of overarching accountability DOT 80% 
Enterprise Risk and on all risks and on enterprise-wide risk 
Strategy Weak role of CRO in core management processes (i.e. portfolio = 90% 
management, budgeting, planning, provisioning, etc.) 
Lack of risk capabilities within units requiring advanced analyticaland |—J40% 
Risk Modeling and quantitative skills e.g., modeling 
Monitoring Absence of attractive career path to attract "intema talents into the  [_]40% 
risk organization 
Limited Independence of risk functions and unclear mandate = 40% 
Single-name Risk Ineffective risk committees: slow decision making process, limited 
Management control on execution Fo 57% 
Excessive socialization of risk responsibilities due to wide risk = 57% 
committees vs. individual accountability 
Unclear allocation of risk responsibilities e.g., credit risk and internal HO 30% 
Risk O i control in relation to trades with unauthorized parties 
Ineffective risk management systems/poor risk data availability O 20% 
and guality 
Level of Weak interaction protocols between risk units internally and other 
interdependencies constituencies (BUs, internal controls, CFO) along core processes [Io 


across components 


* McKinsey analysis 


Our research showed that: 


Among the four individual parts the Enterprise Risk and Strategy component is the 
weakest. In many organizations, this component either does not receive sufficient 


attention, have the necessary clout or the dedicated organizational focus point. Where 
it does, the remit of the unit is not clear. In many cases, for example, we found that the 
strategic unit does not develop a true Enterprise, cross-asset class view (on credit 
exposures, for example) with the result that those sitting in this sub-function have only 
a partial (and often misleadingly calm) picture of the truth. 


The Modeling and Monitoring component often lacks the required analytical tal- 
ent and fails effectively to leverage that scarce talent it is able to attract and retain. 
Furthermore, there is often a lack of clear ownership for risk activities (especially for 
operational risk), leading to a lack of accountability and less effective risk controls. 


The Single-name Risk Management component is often not sufficiently independent 
of the business unit and relies too much on committees, with the result that deci- 
sion processes are ineffective and inefficient. We found that the Single-name Risk 
Management component struggles to divide responsibilities clearly between itself 
and the business units: misalignment, and slow and ineffective decision making 
inevitably follow. 


The Risk Operations component typically fails to clearly allocate responsibilities, espe- 
cially for operational risk with the Risk Modeling and Monitoring component. This area 
of the Risk organization typically offers the largest opportunities to streamline and 
consolidate activities. 


Exhibit 7 
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Exhibit 8 


Finally, the importance of the interdependencies between the four components is not well 
understood, and therefore linkages are often not appropriately defined. A clear illustration 
of this could be found in the response of banks to the significant increase in rescheduling/ 
restructuring reguests received at the dawn of the crisis. Discussions with the Single- 
name Risk Management component of the organization were not shared with Monitoring 
and Modeling which therefore failed to revise the assumptions behind its models. Such 
signals of change from the front line were not in turn translated to Enterprise Risk and 
Strategy with the result that banks’ risk strategy remained unchanged. 


Exhibit 8 catalogues a number of failures that can be laid at the door of the different 
components of the Risk organization. 


Recent history highlights a number of risk incidents that can be clearly 
linked to organizational failures around these four essential components 


Elements Description 


E ise Risk + Wholesale market exposure to fund international expansion resulted in a collapse of 3 major 
and Strategy pana 


* Lending businesses were allowed to increase credit concentration in high-risk industry 
beyond the Risk function's stated appetite, amplifying loss during the financial crisis 


Risk li * Identification of suspicious trading patterns were not appropriately escalated, preventing 
sean timely intervention and leading to billion dollar loss 


and Monitoring 
* Significant mortgage-related write-downs — failure to properly model / price mortgage 
securities risk as a result of insufficient stress testing 
+ Portfolia manager made unauthorized derivatives trades on behalf of clients 
Single-name Risk 
Management = Failure to properly assess risks associated with offering inappropriate loans to some 
borrowers 
= Systems failure leading to loss of tapes containing records for millions of clients 
Risk Operations yee ina = 9 
= Millions transferred through automated currency swap transaction on day of Lehman's 
collapse — automated transfer took place before “decision meeting“ was supposed to 
take place 
Applying the lens 


The new framework can help banks understand where to focus their attention as they 
strive to improve their Risk organizations. It will allow them to enhance their Risk func- 
tions so they are both cost efficient and more resilient to future shocks. We recom- 
mend that banks take the following steps: 


1. Runa detailed diagnostic on the effectiveness of each of the four components and 
their sub-components. Understand the extent to which each component falls short 
of what's reguired and identify the sources of divergence (organization structure, 
talent and skills, pro-cess design, for instance). 
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2. Assess efficiency by conducting a mapping of the Risk organization to determine 
where FTEs sit between and within the four components. Identify where each risk 
activity take places within the organization and to what extent there are gaps/over- 
laps or organizational fragmentation. Develop an understanding of the appropriate 
FTE/activity coverage ratio (the number of credit files per FTE, for instance), and 
how the size and structure of the Risk organization match up to competitors. 


3. Gauge the effectiveness of the interactions, interdependencies and linkages 
between the four components. Are these interdependencies well managed? 
Identify weak spots where responsibilities within the components are not 
appropriately articulated or service levels not defined. 


4. Identify specific improvement opportunities for the Risk organization for each of 
the four components. Address any talent shortages, any weak interdependencies, 
any inadequate processes and defects in the organizational structure for each 
component and identify a targeted set of actions. 


Exhibit 9 provides an example of how our approach to the assessment would 

work in practice: it drills down into the sub functions of the overall Risk Modeling and 
Monitoring component of the organization and describes a broader set of success 
criteria which we have developed through our work with banks. The key point here is 
that the success factors will not just be different for each component but for each 
sub function. 


Each component can be further disaggregated into discrete activities 
to identify distinct success factors and improvement opportunities 


Functional Activities 
Components 
2.1.1 Define data 2.1.4.1, Develop, maintain * Does the bank have 
Enterprise i e and back-lest capital models that meet 
RSi n 2.1 Modeling requirements 
eh oe and for Risk data portfolio-level capital requirements and are robust? 
trategy analytics collection 8 pas en hi Senay? 
modeling capital analysis 


2.1.2. Prepare 8 


Risk ng and) monitor early 2142.Develop, maintain = Does the bank have sconomic 
Modeling manage- ae and back-test © capital models that are 
and ment indicators perio ore cau Sophisticated, robust and 
Monitoring 2.1.3. Develop & adequacy models psi reg 

2.3 Market & effectively allocale capial 


manage capital analysis 


liquidity transaction - 
| Risk level models 
\ monitoring 214.3. Run capital * Are capital and retum 
Single- eee = ora estimates for the overall 
hanage basis. 
name Risk ongoing portfolio, and for portfolio 
Ma sok Novoť os zero segments, being pre>ared 
2.4 Credit Risk - m accurately in a timely manner? 
t 
(en monitoring care podio ajd 
2.1.5. Validate Risk oc 
models 
2.1.4.4, Ensure integration of + Are capital adequacy models 
Risk 2.5 Oporatio- 246. Perio well understood and 
Operations nal Risk Zo models across the implemented for thei’ intended 
oversight ronnie enterprise purpose throughout the bank? 


analysis & 
stress testing 


Exhibit 9 
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Case examples 


Here are four brief portraits of how different institutions have scrutinized the four 
components of our framework: 


Example 1 — Single-name risk management 


Notwithstanding the bank s high-quality credit organization, it discovered that 70% of 
credit sanctioners were also responsible for significant parts of the processing. This 
took up to 50% of their work time and compromised credit delivery as well as the aual- 
ity of credit decisions. 


Determined to become world class, the bank set up a dedicated credit back-office 
with clear responsibilities to process transactions from end-to-end, including all 
aspects of credit delivery. The organization had its own dedicated operational KPIs 
which were measured and published weekly so as to ensure that the team kept 
focused. As a result of the change sanctioners were able to concentrate on credit 
decisioning excellence rather than process, not only easing their own burden but 
improving customer service through credit delivery times that were 50% shorter and 
re-work that tumbled from 70% of transactions to 20%). Looking through this lens 
therefore achieved the twin aims of greater efficiency and increased effectiveness. 


Example 2- Risk Operations 


Another large bank fared extremely well in the crisis. In particular, its historic strengths 
in strategic/enterprise risk management paid off. It was quick to identify large port- 
folios of loans and trading asset classes likely to deteriorate if financial market condi- 
tions worsened, and made some bold decisions early on to retrench. A long-standing 
ERM process considered emerging risks in each major business, encouraged debate 
and reviewed limits. However, the bank had been less vigilant about risk operations 
and controls. It lacked strong, clear accountability for a whole range of control and 
compliance processes throughout the middle and back offices. As a consequence 
there were a large number of regulatory mishaps which were punished by fines, 
required expensive new capital buffers and brought extra outside scrutiny. The bank’s 
response has been to upgrade its risk/control operations through instilling the 
importance of process ownership, tightening up risk tolerance levels and 

streamlining governance. 


Example 3 - Enterprise and Strategic Risk 


One highly successful investment bank reviewed its loss experience during the finan- 
cial crisis to ascertain the strength of its risk function. It found it had done exceptionally 
well in single-name approvals and in risk operations. Its loan loss experience relative 
to its portfolio was well below industry average, while it mostly avoided operational risk 
‘events’ during the turbulence. 
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However, the bank did uncover material weaknesses in its strategic risk manage- 
ment set-up, discovering that it had neither a dedicated function nor strong gover- 
nance. For example, it had not debated the size of the structured finance warehouse, 
analyzed concentrations in select sub-asset classes in trading, or monitored the 
migration into lower-rated underwritings in CRE. In effect it was relying on single- 
name processes to assess strategic risks. 


The bank's response was to make swift and significant changes to its structure, 
introducing a small but highly insightful ERM unit that reported directly to CRO, 
strengthening divisional risk committees to unearth strategic risk issues, launching 
business-level deep dive ERM reviews, and incorporating strategic risk reporting/ 
issue logs into guarterly business MIS. 


Example 4 = Single transaction organization and data/modeling 


After a detailed review of the reasons behind the failures of its Risk organization during 
the crisis, a large universal bank acted to improve its central risk oversight, match its 
risk monitoring responsibilities with risk assessment capabilities, upgrade the gual- 
ity of its risk talent, and overhaul its risk data. The review confirmed that neither pure 
business unit nor pure group structures provided the answer. 


As a consequence the bank created a Risk function aligned with business units that 
all report to the center. In cases where it makes sense — for example the Investment 
Banking Risk Unit and market risks — the Risk function in the business unit monitors 
risks on behalf of the group. In this way the most appropriate unit with the best talent 
performs the task. In addition, the bank initiated a determined talent improvement 
program starting with the most senior ranks of the Risk organization, and embarked 
on a 12-month campaign to make data about its risk positions more consistent, 
transparent and timely. 


In the middle of the current turbulence, we urge CROs to use our new ‘varifocal’ lens 
to reassess the resilience and efficiency of their Risk organizations. We believe such 
a review — and the lessons learned from the analysis — will better equip Risk organiza- 
tions to withstand future financial shocks and ensure effective and efficient execution 
of all critical risk activities. 
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